Cybersecurity is one of the largest concerns for any IT department. Most businesses maintain mass amounts of data on their clients and employees, and breaches can be costly and devastating. Breaches to companies such as Equifax and Yahoo, as well as government entities, have highlighted the need in new light.
So much so government is looking to step in. Rep. Tom Graves (R- Ga.) and Rep. Kyrsten Sinema (D-Ariz.) have introduced a bill called the Active Cyber Defense Certainty Act (ACDC). The two representatives are proposing a Make My Day like law for cybersecurity.
Is allowing businesses retribution when hacked a good idea?
What is the ACDC?
Traditionally businesses have a defense entirely built on firewalls, coding, and encrypting. When a hacker has made it past these defenses, a business has very few options. The process is long, drawn out, and time consuming. Data is rarely retrieved before it is sold or turned into profit.
The main idea behind the new legislation is empowering businesses to counterattack, or in other words hack back, any group or individual who has stolen data. In theory this bill proposes to level the playing field, taking out the resource stretched law enforcement agencies when a company is hacked.
Hacking back allows businesses to go after their stolen data, destroying files and servers. The idea is not businesses have free license to become vigilante hackers. Rather, a hacked business will alert the authorities, provide sufficient evidence, and then proceed with attempting recovery or destruction.
Pros to hacking back
As with all legislation, there is a positive intent. Namely, a company or cybersecurity agency can act more quickly on a hacked system than law enforcement.
The analogy most often used is bank security. That is banks hire their own security as police forces are too resource stretched for daily protection. By allowing “active defense,” the criminal hacking would slow down or become non-existent.
This type of analogy relies on physical world comparisons. Also, it is built on the principle of an organization’s right to defend its own interests.
Cons to hacking back
Unfortunately, that is where one of the largest drawbacks of hacking back can arise. Namely, what is a business’ interest and what would be classified as hacking.
Opponents to laws such as ACDC state allowing businesses to participate in breaches of servers, regardless of intent, would add to chaos. The guidelines of hacking are ambiguous at best. Not to mention there are white hat operations who regularly work systems to test for weaknesses, as well as the potential for staging fake attacks.
Also, the bill does not consider two forms hacking can take: using IoT devices and hackers leveraging innocent IP addresses. In the first situation, hacking back would be impossible and serves no purpose. In the second, the business becomes liable for damaging an innocent individual’s property.
Similarly, the law only applies to hacking that occurs on American soil. If a hack back finds a server in another country, the business is powerless to proceed further. Per the point above, hackers regularly use several different IP addresses all over the world to perform their activity.
Businesses creating an active defense is costly and time consuming. A business has two choices if the approach is an offensive approach: hire a cybersecurity company to operate within the system or burden already overstretched IT departments. The first option has the potential of more complications. Namely, giving an outside company complete access to the system and data, as well as trusting a company to find the hackers when that would end their revenue. The second means more budget for an unproven ROI.
Cybersecurity companies overwhelming disagree that ACDC would benefit businesses or decrease hacking.
Similarly, tech giants are not clamoring for this ability either. Although history has record of a few giants taking things into their own hands, such as Google and Ethereum, the examples are few and far between. Rather, businesses are focusing on working together and progressing cybersecurity to beat the hackers through traditional methods.
Although the new legislation seems an exciting option where businesses can take control rather than waiting around to be the next victim, the overwhelming evidence points towards hacking back being bad for business. Rather, partnering with a security company and ensuring your systems are as up to date is the better approach.